CVE-2026-4818

Medium

Published: 31 March 2026

Published

31 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 11.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4818 is a medium-severity Improper Authorization (CWE-285) vulnerability in Search-Guard Flx. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Requires enforcement of approved authorizations for logical access to system resources, directly preventing unauthorized management operations on data streams due to the authorization bypass.

AC-6 Least Privilege partial match

prevent

Mandates least privilege to restrict users to only necessary accesses, limiting the potential impact and scope of exploitation by low-privilege attackers.

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely flaw remediation through patching to Search Guard FLX 4.1.0 or later.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authorization bypass (CWE-285/862) in network-accessible Search Guard allows low-priv authenticated users to execute privileged management operations on data streams, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190) with C/I impacts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams.

Deeper analysisAI

CVE-2026-4818 is an authorization bypass vulnerability affecting Search Guard FLX versions from 3.0.0 up to 4.0.1. The flaw, tied to CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization), enables users lacking required privileges to perform certain management operations on data streams. It carries a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating medium severity with network accessibility, high attack complexity, low privileges required, and significant impacts on confidentiality and integrity but no availability disruption.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network, though it requires high complexity preconditions (AC:H). Successful exploitation allows unauthorized execution of management operations against data streams, potentially leading to high confidentiality and integrity violations, such as unauthorized data access or modification.

Mitigation details are outlined in the Search Guard advisories, including the changelog for version 4.1.0 at https://docs.search-guard.com/latest/changelog-searchguard-flx-4_1_0 and the CVE advisory at https://search-guard.com/cve-advisory/. Practitioners should upgrade to Search Guard FLX 4.1.0 or later to address the issue.